generated from coulomb/repo-seed
feat(registry): complete ATLAS-WP-0002 T02, T03, T06
Some checks failed
validate-registry / validate (push) Has been cancelled
Some checks failed
validate-registry / validate (push) Has been cancelled
T02: remove inherited capability.infotech.repo-template and template consumer docs (statehub-register, template-validation-checklist); add capability.infotech.config-surface-atlas and rewrite capabilities.yaml. T03: seed 4 configuration surfaces (state-hub api-config, ops-warden routing-catalog, reuse-surface federation-sources, ops-bridge tunnel-config) with registry/indexes/surfaces.yaml; source-linked, no values, secret deps by reference. T06: add tools/validate_registry.py (schema + index gate), Makefile (make validate), and .github/workflows/validate.yml (GitHub + Gitea Actions); document in stack-and-commands. Verified malformed entries are rejected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,128 @@
|
||||
---
|
||||
id: capability.infotech.config-surface-atlas
|
||||
name: Configuration Surface Atlas
|
||||
summary: Read-first, cross-kind map and evidence layer for configuration surfaces — what configures a system, who owns it, its scope, and where the source of truth lives.
|
||||
owner: config-atlas
|
||||
status: draft
|
||||
domain: infotech
|
||||
tags:
|
||||
- configuration
|
||||
- registry
|
||||
- control-plane
|
||||
- effective-config
|
||||
- evidence
|
||||
|
||||
maturity:
|
||||
discovery:
|
||||
current: D5
|
||||
target: D6
|
||||
confidence: medium
|
||||
rationale: >
|
||||
Intent, scope, layering model, competitive landscape, and a control-plane
|
||||
research digest are documented (INTENT, SCOPE, research/, wiki/, PRD,
|
||||
ArchitectureBlueprint). Boundaries vs sister repos are explicit.
|
||||
availability:
|
||||
current: A0
|
||||
target: A2
|
||||
confidence: medium
|
||||
rationale: >
|
||||
Markdown/YAML registry with a JSON Schema for entries; no runtime resolver
|
||||
or API (intentionally — resolution is delegated). Consumed informationally
|
||||
and by agents; a source-module validator exists under tools/.
|
||||
|
||||
external_evidence:
|
||||
completeness:
|
||||
level: C2
|
||||
confidence: low
|
||||
basis: scope_vs_intent_and_consumer_expectations
|
||||
satisfied_expectations:
|
||||
- configuration-surface entry schema (schemas/surface-entry.schema.json)
|
||||
- scope/precedence/merge model (docs/configuration-surface-schema.md)
|
||||
- canon mapping to InfoTechCanon (docs/canon-mapping.md)
|
||||
- seed configuration surfaces (registry/surfaces/)
|
||||
broken_expectations: []
|
||||
out_of_scope_expectations:
|
||||
- runtime effective-value resolution
|
||||
- configuration delivery or control execution
|
||||
- secret value storage
|
||||
reliability:
|
||||
level: R2
|
||||
confidence: low
|
||||
basis: consumer_quality_signals
|
||||
known_reliability_risks:
|
||||
- schema and surface seed are early; coverage is partial
|
||||
- ownership resolution to domain-tree not yet wired
|
||||
|
||||
discovery:
|
||||
intent: >
|
||||
Make the distributed configuration surface of the ecosystem discoverable,
|
||||
explainable, and governable — map the territory before controlling it.
|
||||
includes:
|
||||
- configuration-surface registry and entry schema
|
||||
- scope/layer ordering and explicit merge semantics
|
||||
- cross-repo relationship and effective-config path modelling
|
||||
- canon alignment and sister-repo boundary documentation
|
||||
excludes:
|
||||
- runtime resolver, delivery, or control plane
|
||||
- secret values or live configuration values
|
||||
- feature-availability runtime control (feature-control owns it)
|
||||
assumptions:
|
||||
- downstream repos remain authoritative for their own config
|
||||
- reuse-surface federation and the State Hub graph are available
|
||||
use_cases: []
|
||||
research_memos:
|
||||
- research/configuration-control-plane.md
|
||||
- docs/configuration-surface-schema.md
|
||||
|
||||
availability:
|
||||
current_level: A0
|
||||
target_level: A2
|
||||
current_artifacts:
|
||||
- registry/surfaces/
|
||||
- schemas/surface-entry.schema.json
|
||||
- docs/configuration-surface-schema.md
|
||||
- docs/canon-mapping.md
|
||||
- tools/validate_registry.py
|
||||
consumption_modes:
|
||||
- informational
|
||||
- source module
|
||||
|
||||
relations:
|
||||
depends_on:
|
||||
- capability.statehub.workstream-coordinate
|
||||
supports: []
|
||||
related_to:
|
||||
- capability.registry.register
|
||||
|
||||
evidence:
|
||||
documentation:
|
||||
- INTENT.md
|
||||
- SCOPE.md
|
||||
- specs/ProductRequirementsDocument.md
|
||||
- specs/ArchitectureBlueprint.md
|
||||
- docs/ecosystem-boundaries.md
|
||||
tests:
|
||||
- tools/validate_registry.py
|
||||
|
||||
consumer_guidance:
|
||||
recommended_for:
|
||||
- discovering what configures a system and who owns it
|
||||
- reasoning about defaults, precedence, and cross-repo config relationships
|
||||
not_recommended_for:
|
||||
- storing or resolving live configuration values
|
||||
- secret management or feature-flag runtime control
|
||||
known_limitations:
|
||||
- early-stage schema and partial surface coverage
|
||||
- effective-value resolution is out of scope by design
|
||||
---
|
||||
|
||||
# Configuration Surface Atlas
|
||||
|
||||
config-atlas indexes **configuration surfaces** — bounded, named places where
|
||||
configuration is defined, read, or overridden — as source-linked registry entries
|
||||
with ownership, kind, scope, and evidence. It is the read-first map and evidence
|
||||
layer of a configuration control plane; it does not resolve, deliver, or control
|
||||
configuration (see `SCOPE.md`, `docs/ecosystem-boundaries.md`).
|
||||
|
||||
See `docs/configuration-surface-schema.md` for the entry model and
|
||||
`docs/canon-mapping.md` for InfoTechCanon alignment.
|
||||
@@ -1,121 +0,0 @@
|
||||
---
|
||||
id: capability.infotech.repo-template
|
||||
name: Coulomb Repository Template
|
||||
summary: Bootstrap new git repositories with agent instructions, registry scaffold, and State Hub onboarding conventions.
|
||||
owner: repo-seed
|
||||
status: draft
|
||||
domain: infotech
|
||||
tags:
|
||||
- template
|
||||
- bootstrap
|
||||
- state-hub
|
||||
- onboarding
|
||||
|
||||
maturity:
|
||||
discovery:
|
||||
current: D3
|
||||
target: D5
|
||||
confidence: medium
|
||||
rationale: >
|
||||
Template purpose, consumer guide, and validation checklist are documented.
|
||||
Scope boundaries are explicit in SCOPE.md.
|
||||
availability:
|
||||
current: A3
|
||||
target: A4
|
||||
confidence: medium
|
||||
rationale: >
|
||||
Consumers clone or copy repo-seed and run statehub register. Template
|
||||
files are markdown/git artifacts without a hosted provisioning API.
|
||||
|
||||
external_evidence:
|
||||
completeness:
|
||||
level: C2
|
||||
confidence: medium
|
||||
basis: scope_vs_intent_and_consumer_expectations
|
||||
satisfied_expectations:
|
||||
- agent instruction scaffold (AGENTS.md, CLAUDE.md, .claude/rules/)
|
||||
- registry directory scaffold
|
||||
- statehub register consumer documentation
|
||||
- template validation checklist for bootstrap verification
|
||||
- bootstrap workplan pattern (WP-0001)
|
||||
broken_expectations: []
|
||||
out_of_scope_expectations:
|
||||
- automated repo creation on Gitea
|
||||
- runtime application code generation
|
||||
reliability:
|
||||
level: R2
|
||||
confidence: medium
|
||||
basis: consumer_quality_signals
|
||||
known_reliability_risks:
|
||||
- register output evolves with state-hub releases; checklist must be revalidated
|
||||
- LLM inference path depends on llm-connect availability
|
||||
|
||||
discovery:
|
||||
intent: >
|
||||
Give new Coulomb repositories a consistent starting point for agent
|
||||
coordination, capability registry growth, and State Hub workplan tracking.
|
||||
includes:
|
||||
- git template files for agent instructions and registry scaffold
|
||||
- documentation for statehub register usage
|
||||
- consumer validation checklist
|
||||
- bootstrap workplan convention
|
||||
excludes:
|
||||
- application runtime implementation
|
||||
- owning downstream project code
|
||||
assumptions:
|
||||
- consumers have access to state-hub CLI and API
|
||||
- workplans remain canonical in repo files (ADR-001)
|
||||
use_cases: []
|
||||
research_memos:
|
||||
- docs/statehub-register.md
|
||||
- docs/template-validation-checklist.md
|
||||
|
||||
availability:
|
||||
current_level: A3
|
||||
target_level: A4
|
||||
current_artifacts:
|
||||
- README.md
|
||||
- AGENTS.md
|
||||
- CLAUDE.md
|
||||
- .claude/rules/
|
||||
- registry/
|
||||
- docs/statehub-register.md
|
||||
- docs/template-validation-checklist.md
|
||||
consumption_modes:
|
||||
- git clone
|
||||
- informational
|
||||
|
||||
relations:
|
||||
depends_on:
|
||||
- capability.statehub.workstream-coordinate
|
||||
supports: []
|
||||
related_to:
|
||||
- capability.registry.register
|
||||
|
||||
evidence:
|
||||
documentation:
|
||||
- docs/statehub-register.md
|
||||
- docs/template-validation-checklist.md
|
||||
- SCOPE.md
|
||||
tests: []
|
||||
|
||||
consumer_guidance:
|
||||
recommended_for:
|
||||
- bootstrapping new Coulomb domain repositories
|
||||
- standardizing agent onboarding and workplan conventions
|
||||
not_recommended_for:
|
||||
- repos that already have mature agent instructions and hub registration
|
||||
- application templates with heavy code generation requirements
|
||||
known_limitations:
|
||||
- register must be run separately after cloning
|
||||
- fix-consistency requires operator access to state-hub checkout
|
||||
---
|
||||
|
||||
# Coulomb Repository Template
|
||||
|
||||
`repo-seed` is the canonical git template for new Coulomb repositories. Clone it,
|
||||
run `statehub register`, complete the bootstrap workplan, and sync with
|
||||
`make fix-consistency`.
|
||||
|
||||
See `docs/statehub-register.md` for the consumer workflow and
|
||||
`docs/template-validation-checklist.md` for verification steps.
|
||||
@@ -1,14 +1,14 @@
|
||||
version: 1
|
||||
updated: '2026-06-24'
|
||||
updated: '2026-06-26'
|
||||
domain: infotech
|
||||
capabilities:
|
||||
- id: capability.infotech.repo-template
|
||||
name: Coulomb Repository Template
|
||||
summary: Bootstrap new git repositories with agent instructions, registry scaffold, and State Hub onboarding conventions.
|
||||
vector: D3 / A3 / C2 / R2
|
||||
- id: capability.infotech.config-surface-atlas
|
||||
name: Configuration Surface Atlas
|
||||
summary: Read-first, cross-kind map and evidence layer for configuration surfaces — what configures a system, who owns it, its scope, and where the source of truth lives.
|
||||
vector: D5 / A0 / C2 / R2
|
||||
domain: infotech
|
||||
status: draft
|
||||
owner: repo-seed
|
||||
path: registry/capabilities/capability.infotech.repo-template.md
|
||||
tags: [template, bootstrap, state-hub, onboarding]
|
||||
consumption_modes: [git clone, informational]
|
||||
owner: config-atlas
|
||||
path: registry/capabilities/capability.infotech.config-surface-atlas.md
|
||||
tags: [configuration, registry, control-plane, effective-config, evidence]
|
||||
consumption_modes: [informational, source module]
|
||||
|
||||
40
registry/indexes/surfaces.yaml
Normal file
40
registry/indexes/surfaces.yaml
Normal file
@@ -0,0 +1,40 @@
|
||||
version: 1
|
||||
updated: '2026-06-26'
|
||||
domain: infotech
|
||||
surfaces:
|
||||
- id: surface.infotech.state-hub.api-config
|
||||
name: State Hub API configuration
|
||||
kind: app-config
|
||||
summary: Runtime configuration for the Custodian State Hub API (bind host/port, database URL, environment mode).
|
||||
owner: custodian
|
||||
status: active
|
||||
default_layer: company
|
||||
security_class: operational
|
||||
path: registry/surfaces/surface.infotech.state-hub.api-config.md
|
||||
- id: surface.infotech.ops-warden.routing-catalog
|
||||
name: ops-warden credential routing catalog
|
||||
kind: policy
|
||||
summary: Catalog mapping credential/access needs to their owning subsystem, consumed via `warden route`.
|
||||
owner: ops-warden
|
||||
status: active
|
||||
default_layer: company
|
||||
security_class: policy
|
||||
path: registry/surfaces/surface.infotech.ops-warden.routing-catalog.md
|
||||
- id: surface.infotech.reuse-surface.federation-sources
|
||||
name: reuse-surface federation sources
|
||||
kind: app-config
|
||||
summary: Federation roster and source list defining which registries reuse-surface aggregates.
|
||||
owner: reuse-surface
|
||||
status: active
|
||||
default_layer: company
|
||||
security_class: operational
|
||||
path: registry/surfaces/surface.infotech.reuse-surface.federation-sources.md
|
||||
- id: surface.infotech.ops-bridge.tunnel-config
|
||||
name: ops-bridge SSH tunnel configuration
|
||||
kind: infra-state
|
||||
summary: Declares the reverse SSH tunnels exposing State Hub and MCP services to remote machines.
|
||||
owner: ops-bridge
|
||||
status: active
|
||||
default_layer: installation
|
||||
security_class: operational
|
||||
path: registry/surfaces/surface.infotech.ops-bridge.tunnel-config.md
|
||||
@@ -0,0 +1,43 @@
|
||||
---
|
||||
id: surface.infotech.ops-bridge.tunnel-config
|
||||
name: ops-bridge SSH tunnel configuration
|
||||
kind: infra-state
|
||||
summary: Declares the reverse SSH tunnels (local/remote port maps) that expose State Hub and MCP services to remote machines.
|
||||
owner: ops-bridge
|
||||
status: active
|
||||
scope:
|
||||
allowed_layers: [company, environment, installation]
|
||||
default_layer: installation
|
||||
mutability: deploy-time
|
||||
security_class: operational
|
||||
schema:
|
||||
type: object
|
||||
validator: ~/ops-bridge/schemas/tunnel.schema.yaml
|
||||
sources:
|
||||
- repo: ops-bridge
|
||||
path: config/tunnels.yaml
|
||||
role: installation-overlay
|
||||
relations:
|
||||
consumed_by:
|
||||
- service.ops-bridge
|
||||
overrides: []
|
||||
depends_on_secret:
|
||||
- ops-bridge/ssh-cert
|
||||
related_to:
|
||||
- surface.infotech.state-hub.api-config
|
||||
evidence:
|
||||
last_seen: '2026-06-26'
|
||||
discovery_method: manual
|
||||
change_log_ref: ATLAS-WP-0002-T03
|
||||
---
|
||||
|
||||
# ops-bridge SSH tunnel configuration
|
||||
|
||||
ops-bridge maintains reverse SSH tunnels that expose the State Hub API and MCP
|
||||
endpoints to remote machines (the remote port map: State Hub API `:18000`, MCP
|
||||
`:18001`). This surface maps that tunnel configuration as **infra-state**.
|
||||
|
||||
- **Source of truth:** the `ops-bridge` repo tunnel config; SSH certs are a secret
|
||||
reference (`depends_on_secret`), signed by ops-warden, never stored here.
|
||||
- **Relation:** exposes `surface.infotech.state-hub.api-config` to remote workers.
|
||||
- **Mutability:** deploy-time — tunnel changes are brought up via `bridge up`.
|
||||
@@ -0,0 +1,44 @@
|
||||
---
|
||||
id: surface.infotech.ops-warden.routing-catalog
|
||||
name: ops-warden credential routing catalog
|
||||
kind: policy
|
||||
summary: Catalog mapping credential/access needs to their owning subsystem (who issues what), consumed via `warden route`.
|
||||
owner: ops-warden
|
||||
status: active
|
||||
scope:
|
||||
allowed_layers: [company, platform]
|
||||
default_layer: company
|
||||
mutability: deploy-time
|
||||
security_class: policy
|
||||
schema:
|
||||
type: object
|
||||
validator: ~/ops-warden/registry/routing/catalog.schema.yaml
|
||||
sources:
|
||||
- repo: ops-warden
|
||||
path: registry/routing/catalog.yaml
|
||||
role: company-baseline
|
||||
relations:
|
||||
consumed_by:
|
||||
- service.warden-cli
|
||||
overrides: []
|
||||
depends_on_secret: []
|
||||
related_to:
|
||||
- surface.infotech.state-hub.api-config
|
||||
evidence:
|
||||
last_seen: '2026-06-26'
|
||||
discovery_method: manual
|
||||
change_log_ref: ATLAS-WP-0002-T03
|
||||
---
|
||||
|
||||
# ops-warden credential routing catalog
|
||||
|
||||
The credential routing catalog answers "who owns this credential need?" — SSH certs
|
||||
(ops-warden), API keys/DB passwords (OpenBao), login/OIDC (key-cape), etc. It is a
|
||||
**routing policy** surface: it carries pointers, never secret values.
|
||||
|
||||
- **Source of truth:** `ops-warden/registry/routing/catalog.yaml`; consumed via
|
||||
`warden route find/show`.
|
||||
- **Boundary:** this surface maps the catalog's existence, owner, and scope; secret
|
||||
values are never stored here (`security_class: policy`, no `depends_on_secret`).
|
||||
- **Why indexed:** credential routing is high-frequency and high-risk; the atlas
|
||||
records where the routing policy lives and who owns it.
|
||||
@@ -0,0 +1,44 @@
|
||||
---
|
||||
id: surface.infotech.reuse-surface.federation-sources
|
||||
name: reuse-surface federation sources
|
||||
kind: app-config
|
||||
summary: Federation roster and source list that define which registries reuse-surface aggregates, including the reserved id namespaces.
|
||||
owner: reuse-surface
|
||||
status: active
|
||||
scope:
|
||||
allowed_layers: [company, platform, installation]
|
||||
default_layer: company
|
||||
mutability: hot-reloadable
|
||||
security_class: operational
|
||||
schema:
|
||||
type: object
|
||||
validator: ~/reuse-surface/schemas/federation.schema.yaml
|
||||
sources:
|
||||
- repo: reuse-surface
|
||||
path: registry/federation/sources.yaml
|
||||
role: company-baseline
|
||||
- repo: reuse-surface
|
||||
path: registry/federation/local-repo-roster.yaml
|
||||
role: installation-overlay
|
||||
relations:
|
||||
consumed_by:
|
||||
- service.reuse-surface-hub
|
||||
overrides: []
|
||||
depends_on_secret: []
|
||||
related_to:
|
||||
- surface.infotech.state-hub.api-config
|
||||
evidence:
|
||||
last_seen: '2026-06-26'
|
||||
discovery_method: manual
|
||||
change_log_ref: ATLAS-WP-0002-T03
|
||||
---
|
||||
|
||||
# reuse-surface federation sources
|
||||
|
||||
The federation sources configure which registries reuse-surface aggregates and the
|
||||
id namespaces each owns. config-atlas federates here as a typed peer (the `surface.*`
|
||||
namespace reservation is ATLAS-WP-0002-T05).
|
||||
|
||||
- **Source of truth:** `reuse-surface/registry/federation/{sources,local-repo-roster}.yaml`.
|
||||
- **Why indexed:** this is the surface that governs cross-registry interoperability;
|
||||
config-atlas's own discoverability depends on it.
|
||||
Reference in New Issue
Block a user